Skip to content

Instantly share code, notes, and snippets.

@gburd
Created April 29, 2016 14:44
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gburd/6f555a7b1197260d8472e24a35b7752c to your computer and use it in GitHub Desktop.
Save gburd/6f555a7b1197260d8472e24a35b7752c to your computer and use it in GitHub Desktop.
sysctl
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
kernel.panic = 10
###################################################################
# IPv4 networking start
###################################################################
# Enable source validation by reversed path, as specified in RFC1812, which
# turn on Source Address Verification in all interfaces to prevent some
# spoofing attacks.
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Enable TCP/IP SYN cookies, see http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too.
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
# Packet forwarding for IPv4
net.ipv4.ip_forward = 0
# RFC 1337, TIME-WAIT Assassination Hazards in TCP, a fix written in 1992
# for some theoretically-possible failure modes for TCP connections. To this
# day this RFC still has people confused if it negatively impacts performance
# or not or is supported by any decent router. Murphy's Law is that the only
# router that it would even have trouble with, is most likely your own.
net.ipv4.tcp_rfc1337 = 1
# TCP window scaling tries to avoid saturating the network adapter with
# incoming packets.
net.ipv4.tcp_window_scaling = 1
# If enabled, assume that no receipt of a window-scaling option means that the
# remote TCP is broken and treats the window as a signed quantity. If
# disabled, assume that the remote TCP is not broken even if we do not receive
# a window scaling option from it.
net.ipv4.tcp_workaround_signed_windows = 1
# TCP SACK and FACK refer to options found in RFC 2018 and are also documented
# back to Linux Kernel 2.6.17 with an experimental "TCP-Peach" set of
# functions. These are meant to get you your data without excessive losses.
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
# The latency setting is 1 if you prefer more packets vs bandwidth, or 0 if you
# prefer bandwidth. More packets are ideal for things like Remote Desktop and
# VOIP: less for bulk downloading.
net.ipv4.tcp_low_latency = 1
# I found RFC 2923, which is a good review of PMTU. IPv6 uses PMTU by default
# to avoid segmenting packets at the router level, but its optional for
# IPv4. PMTU is meant to inform routers of the best packet sizes to use between
# links, but its a common admin practice to block ICMP ports that allow
# pinging, thus breaking this mechanism. Linux tries to use it, and so do I: if
# you have problems, you have a problem router, and can change the "no" setting
# to 1. "MTU probing" is also a part of this: 1 means try, and 0 means don't.
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_mtu_probing = 1
# FRTO is a mechanism in newer Linux kernels to optimize for wireless hosts:
# use it if you have them; delete the setting, or set to 0, if you don't.
#net.ipv4.tcp_frto = 2
#net.ipv4.tcp_frto_response = 2
# TCP Congestion Controls
#
# Windows Vista and newer gained Compound TCP as an alternative to standard TCP
# Reno. Linux Kernel 2.6 has had numerous mechanisms available to it for some
# time: 2.6.19 defaulted to CUBIC which was supposed to work well over "long
# links." My two personal favorites: TCP Westwood + and TCP Illinois. But you
# can dig in, look at different research papers online, and see what works best
# for your environment.
#
# 1. Make sure your kernel has the correct module: in my example, I use TCP
# Illinois, which has been compiled with any standard Ubuntu kernel since 2008,
# and is found as tcp_illinois. 2. Add said kernel module to /etc/modules
# 3. Change /etc/sysctl.conf to use the non "tcp_" part of your selection.
net.ipv4.tcp_congestion_control = illinois
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Do not accept IP source route (SRR) packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_tw_reuse = 1
###################################################################
# IPv6 networking start
###################################################################
# Disable IPv6
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.secure_redirects = 1
# Uncomment the next line to enable packet forwarding for IPv6. Enabling this
# option disables Stateless Address Autoconfiguration based on Router
# Advertisements for this host.
#net.ipv6.conf.all.forwarding = 0
# Do not accept IP source route (SRR) packets (we are not a router)
net.ipv6.conf.all.accept_source_route = 0
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a
# router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
# Router advertisements can cause the system to assign a global unicast address
# to an interface
net.ipv6.conf.default.autoconf = 0
# How many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
###################################################################
# Enable ExecShield protection
#kernel.exec-shield = 1
kernel.randomize_va_space = 1
# TCP and memory optimization increase TCP max buffer size setable using
# setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
# Increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
vm.overcommit_memory = 1
vm.zone_reclaim_mode = 0
vm.max_map_count = 131072
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# References:
# [1] http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
# [2] http://www.slashroot.in/linux-network-tcp-performance-tuning-sysctl
# [3] http://www.cyberciti.biz/faq/linux-tcp-tuning/
# [4] http://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php
# [5] http://docs.datastax.com/en/cassandra/2.0/cassandra/install/installRecommendSettings.html
# [6] http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment